Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

• Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
• The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
• Over half of the malware found was between the hours of 4:00 a.m. and 10:00 a.m. GMT.
• The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Darkside of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users¹, Twitter Crime Rate², and Tweet Number³.  Key highlights:

• In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
• Only 28.87 percent of Twitter users are actual True Twitter Users.
• Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
• One in every eight Twitter users has at least 10 times more followers than they are following.
• Only one in 10 users is following more than 100 users, and almost half are following less than five.
• The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanics View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

• Download the Barracuda Labs 2010 Midyear Security Report at http://www.barracudalabs.com/research_resources.html.
• View the Barracuda Labs security research portal at http://BarracudaLabs.com.
• Follow Barracuda Labs on Twitter at @barracudalabs.

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

This week, we have seen a surge in the number of spams like the one below, promising a new Social Security Number (SSN) to victims of Identity Theft.

Most people would take one look at this spam and hit the delete button, but it is worth taking a moment to understand what’s being offered.

The scam behind the spam

If you are a citizen of the United States, your SSN is a de facto personal identification number.  With your name, your SSN and a few other bits of personal information, an identity thief can ruin your credit and turn your life into a nightmare.

Since a stolen SSN is at the center of the nightmare, this scam attempts to convince identity fraud victims that a new SSN will take care of their problems and that for a fee, the company – Get New SSN – will help.  Calling the number in the spam connects you to a slick sounding recording and then a human operator who takes your personal information.

What really happens is that the victim of these scams is given a Federal Employer Identification Number (FEIN), which looks just like a SSN but serves a completely different purpose.  The victim uses this FEIN as if it were a SSN without realizing that they are committing fraud.  What’s more, by using the FEIN in place of their real SSN, they are doing permanent harm to their Social Security record since income earned when using an FEIN is not eligible for Social Security reporting.

The Social Security Administration issues new numbers only in the event of severe identity theft, and even then only rarely, and all Social Security services are offered at no cost.

As you would expect of a scam, these spams contain no valid reply information.  Not only do the scammers send out email spam, they post spam to unprotected online forums as well.  This is done automatically by ‘bots’ which are indiscriminate in their targets.  Below is an example of the “New SSN” posted to a Japanese blog:

The email mentioned in these forum spams, getnewssn@gmx.com, is hosted at a free German email service. Not quite what one would expect from a company offering to help with an American government agency.

Barracuda Spam & Virus Firewalls block these spam messages.

Barracuda Labs spam monitoring systems have picked up a massive new spam campaign whose messages pretend to be output files from a popular Xerox office copier.

Hundreds of thousands of these messages are circulating around the globe, titled Scan from a Xerox WorkCentre Pro and containing a single .zip file attachment tagged with a random number that helps them avoid detection by anti-spam technology. In fact, Virus Total calculates detection rates at around 19.5% as referenced by certain TechHerald employees today.

The message format closely mimics the one used by a real Xerox WorkCentre Pro, except for one detail – Xerox scanners do not email their outputs using the .zip format. The WorkCentre Pro from Xerox typically scans documents to PDF, email or FTP accounts.

The message text claims that the attachment is a zipped .doc file, and the .zip file itself hides the true extension of the file contained within.  It is not until you go to open the file that you see its true nature.  It is an executable and it is not scanner output – it is a variant of Trojan Oficla.

Choosing  Run (which you should not do) seems to do nothing at all – the Trojan runs but does not display any decoy image.  Rather, it simply installs itself and gets to work in the background downloading other malware.

Samples executed at Barracuda Labs quickly start up a Spambot which sends out more copies of the same message.

As always, never trust unexpected emails, and in particular, never press the “Run” button unless you are 100% certain of what you are doing.  Word documents are “opened” and they are not “run” at any time. And, of course, always keep your security software updated on your system. If this message lands in your inbox, please delete and make sure to spread this message with your friends and colleagues.

Barracuda Spam & Virus Firewall customers are protected from this attack.

Barracuda Labs has found compromised sites in the wild which present unwary visitors with an official-looking Adobe Flash update page. Even though this page looks convincing, downloading this ‘update’ only provides the user with a nasty piece of malware that McAfee currently classifies as Downloader-CEW.f.

We recommend getting Adobe Flash updates directly from the source – http://get.adobe.com/flashplayer.

How it happens

Performing a quick search for a breaking news topic, such as LeBron James opening his own Twitter account, starts the process. Searching for “LeBron James Twitter” gives the highlighted result a rank of 62.

Google Results for trend topic "LeBron James Twitter"

Clicking on the highlighted result  sends the user directly to the fake upgrade page. Note that the actual domain is registered in the Cocos Islands.  Also note that the dialog offers Adobe Flash Player 11, while (at this writing) the current version of Flash is 10.1.

Fake Adobe Flash Update Dialog

Another sign that this dialog box is bad news is that none of the buttons close the dialog.  Clicking both “Cancel” and “Details” implores the user to click “Ok”  (which is not a button name).   Only “Continue” offers the user a path forward, to a Windows Security Warning dialog.

If the user does run the file, it will download a background clicker that uses the Internet connection to generate fake Internet traffic.  While this activity goes on unseen, additional scamware and spyware programs are downloaded, as seen below.

PC infected with malware

The unsuspecting user can be compromised in no time, which is why it is recommended to get Adobe Flash updates directly from the source.

Barracuda Web Filter and Barracuda Purewire Web Security Service customers are protected from these attacks.

This week a new sort of spam started showing up in the Barracuda Labs Spam Honeypots – fake sender verification emails such as the one below:

Sender Verification emails ask users to verify that they sent a particular email to someone, usually by responding with another email, or as in this case, by clicking on an embedded link.

Under normal circumstances, these emails come from an email server that has been enhanced with  sender verification software as a spam-fighting measure.  While this software is not as common as it once was, these systems still are used by some businesses and ISPs.

However, the example above merely pretends to be one of these verification emails and is not from an email server at all.  Instead, it is cleverly constructed spam whose included link can take the recipient to suspicious Websites, or even offer up executable malware.

This spam appears plausible and easily can trick the unwary email user.

Close examination does reveal several tell-all signs that this email is suspicious. For starters, the name of the person supposedly emailed is missing.  Second, the domain that the email purports to come from is the same domain as that of the user, which makes no sense since the user should not need to verify himself to his own mail server.

Indeed,  one aspect of this campaign is that each spam is carefully tailored to  reference the email domain of the recipient, most likely because that domain is one the recipient knows and trusts.

The message is sent only in HTML format, and the link has varied over time. In some cases, it redirects to Canadian Pharmacy Viagra sites.  In others, the link presents the user with a Windows .EXE to run, which is a variant of the rapidly spreading TDSS rootkit.

While it is easy enough to hover over the link and see that it does not go back to the organization shown as having sent the email, many users will not question the name of the domain in the verification link.

Barracuda Spam & Virus Firewalls block these emails.  We suggest users take note and warn other email users of this new social engineering tactic.  These emails do not fight spam; they ARE spam.

Eminem still isn’t dead… at least not as of June 2010. Barracuda Labs honeypots have received thousands of copies of a new spam that is trying to take advantage of a venerable hoax that rap artist Eminem has died in a car crash, this time according to CBS news.

The entire poorly written story is contained in an image that links to a file, outlined in red above. The victims are led to believe they are clicking on a CBS story, but actually the file downloads EminemDead.exe. Running this file installs a backdoor on the victim’s computer which has very low detection rates – VirusTotal results.

This once again reiterates the importance of never running anything distributed in an email unless the source is known.

Barracuda Spam & Virus Firewalls intercept these emails, and Barracuda Web Filters block the payload.

Many savvy computer users have experience setting up a wireless access point in their home or office. It’s not that hard, really. Change the SSID, change the password, and perhaps change the channel. Set the IP and you’re good to go.

But if that’s all you’ve done, you could be leaving open an attack vector that malware authors have been targeting for years. They’re still targeting it today.

Many routers, including those that are part of wireless access points, implement the Universal Plug and Play (UPnP) interface. This interface allows programs running on computers connected to the router to control the router.  No authentication is necessary. The bad news is that this makes it easy for malware to change router settings.

While scanning for malware, we found this bogus forum post pretending to be a video recipe for Yankee Pot Roast. However, when looking a bit closer, it revealed itself as TROJ_TDSS.AKA, a downloader that initially downloads a fake antivirus but, as demonstrated, also tries to open a port in the gateway, leaving your computer and personal information exposed.

Malware automatically opening a port in the gateway is significant because most router users, particularly most home wireless access point users, assume a few simple security steps are all they need – enable WEP or WPA, set a strong password and you’re good (enough) to go. The UPnP vulnerability doesn’t have very high non-geek visibility, even though it’s still being exploited – and by Conficker no less.  And despite it having been around for quite a while now (referenced in this ZDNet article at http://www.zdnet.com/blog/soho-networking/wi-fi-routers-vulnerable-to-upnp-attack-from-hackers/120), it’s still alive and incredibly widespread. In fact, Google gives approximately 1,870,000 results for sites linking to the primary attack site, hxxp://vixensandschoolgirls.com.

Users should check to see if their routers allow for more secured startups. For example, it is recommended to disable UPnP and to use forced static IP so that the system will not be subject to unannounced attacks leaving the DHCP server open to assign an IP to any system that breaches your WiFi security.

Further, this once again reiterates the importance of knowing the source of information online, and to not click on links from unknown sources.

Screenshots of the attack follow for reference.

1)  Clicking on this ‘video’ brings up another window displaying a video prompt.

2) At this point, the astute user might wonder why the Yankee Pot Roast recipe is being offered up by hxxp://vixensandschoolgirls.com, but then the standard Windows warning message appears.

3) Running the offered program doesn’t seem to do anything at first. After a long delay, a fake anti-malware program named Defense Center is downloaded and executed.

4) Meanwhile, behind the scenes, multiple attempts are made against the router, followed by this UPnP payload. The payload changes the firewall settings of the router to open a port for additional malicious traffic. Conficker uses this same internal UPnP attack against routers to open up ports for its peer-to-peer control mechanism. UPnP is sometimes used for file or printer sharing, but in most cases it can be disabled with no ill effects.

5) The setting used on the Linksys router used in testing.

In slasher movies, there’s often a scene where terrified teenagers try to trace the phone calls of a homicidal maniac only to discover that the phone calls are coming from inside the building.

A recent spam case that was referred to the Lab reminded us of one of those scenes and underscored the fact that everyone should be suspicious of unsolicited emails. This is especially true of unsolicited emails that ask you to run something on your computer, no matter WHO they come from at any time.

In this particular case, the spam emails were sent to users within a medium-sized professional firm. They were carefully crafted to appear to be an Adobe security update originally sent to the Assistant Director of Information Technology and then individually forwarded from her. (Names and domains in the message have been changed.)

The bulk of the message looks like a security update from Adobe regarding vulnerability CVE-2010-0193. The linked executable actually is a malicious file that installs a Trojan backdoor program. The linked .PDF also contains a clickable link to the Trojan. Adobe already has reported this spam campaign here:

http://blogs.adobe.com/psirt/2010/05/alert_adobe_security_update_em.html

What’s particularly interesting is just above the forwarded message. The information about the sender of the email – Jane Doe, Assistant Director of Information Technology, JaneDoe@phished.com – is ‘real’ data, most likely harvested from elsewhere on the Internet, and would appear to be normal to co-workers within her company. Her email address is used in the body of the forwarded message as well, making it appear that it really was sent directly to Jane and then she is forwarding it along. Except that she isn’t.

The ‘From’ field of the email has been spoofed (i.e., faked), something spammers easily can do. Instead, examination of the internal email headers reveals that the entire message was sent from a compromised computer in West Virginia.

It is common for spam to be sent with faked ‘From’ data; however, this case takes that even a step further. The ‘From’ name was chosen specifically in order to gain the trust of the users at phished.com who received the messages. This was a deliberate and targeted batch of spam, sometimes called “spear” phishing, which demonstrates just how clever the bad guys are and just how cautious we as users have to be.

Barracuda Spam Firewalls block these emails.

Below are various screenshots of the targeted attack in action.

The targeted email seemingly coming from inside the organization.

The spoofed "from" address, which appears to be correct.

The .PDF mentioned in the email message that contains a malicious link.

Malicious file in action: the presumed software license agreement.

Malicious file in action: setup wizard.

Malicious file in action: accepting terms of the license agreement.

Malicious file in action: ready to install.

Malicious file in action: prompt to reboot.

Malicious file in action: execution complete.

If you’re working on your Atlantic Coast Conference brackets this week, be extra careful where you click. Cybercriminals are up to their old tricks and hoping you’ll make a fast break to their Web sites.

To raise the chances that you will, they’ve taken over popular search terms such as “ACC Tournament Schedule 2010″ and “ACC Tournament Bracket” and inserted poisoned links that lead to Rogue AV sites. SEO poisoning continues to pick up steam as attackers race to re-direct your browser to a Web site serving up various malicious programs. In this case, “CleanUp Antivirus” Rogue AV seems to be the flavor of choice.

As part of this experiment, Barracuda Labs discovered that a Google search for “ACC Tournament Schedule 2010″ returned 23 malicious links within the first 50 results. Unless you know how to tell the difference between the good links and the bad ones, you stand almost a 50% chance of having your computer taken over by “Scareware” that tries to separate you from as much as $90 for the fake software.

We discuss Rogue AV and SEO poisoning in more detail in our 2009 Annual Report released this week. The attacks are becoming increasingly more popular as hackers target vulnerabilities in legitimate Web sites, making it more likely for the page to be visited and the malicious content to be delivered. .

CNBC sites surveys that show almost 45% of American workers participate in March Madness pools at work. Much of this research is happening on company time, causing a significant decrease in employee productivity as loyal fans follow their favorite teams. While the boss may turn a blind eye to that activity, a malware infection sure won’t help your ranking at work.

Barracuda Web Filter and Barracuda Web Security Service customers are protected from this attack.

Below are screenshots that trace the attack.

Top results for ACC Tournament Schedule 2010 from Google

Top results for ACC Tournament Schedule 2010 from Google

Beginning at result 11, the links all lead to malicious content.

Beginning at result 11, the links all lead to malicious content.

When the user clicks on a poisoned link, the following page pops up briefly.

When you click on a poisoned link, this page pops up briefly.

Next, an official-looking warning appears.

Next, an official-looking warning appears.

Followed by bad news, which is completely untrue.

Followed by bad news, which is completely untrue.

The Web page wants the user to run a file. Don’t do this!

The Web page wants you to run a file. Don't do this!

If the user does run the file, the user will become infected with CleanUp Antivirus.

If you do run the file, you are infected with CleanUp Antivirus.

CleanUp Antivirus repeatedly sends you to this ‘money page’ where the user is asked to submit a credit card.

CleanUp Antivirus repeatedly sends you to this 'money page' where the user is asked to submit a credit card.

As part of an ongoing effort to make the Web a safer place for both business and casual users, Barracuda Labs decided to take a deeper look at one of the Web’s fastest growing social networks, Twitter. We reviewed growth drivers, usage trends and the overall crime rate, analyzing both legitimate and malicious users for 2009. Today, we published our findings as part of our Barracuda Labs Annual Report.  This report revisits an analysis completed by the team in June 2009, following the launch of TweetGrade (www.tweetgrade.com), and coincides with recent accounts of Twitter’s explosive growth – reportedly reaching 50 million tweets per day.

Our analysis is based on nearly 19 million Twitter accounts, in which we analyzed the frequency and content of tweets, user-to-user interactions, and each account’s overall activity level.

The bottom line is this: users are more active on Twitter; more users joined Twitter in 2009 following a massive influx of celebrities to the site; and sure enough, the criminals followed the users in a forceful way causing the overall Twitter Crime Rate to spike.

So let’s dig into the results…

HOW PEOPLE ARE USING TWITTER

Twitter Follower vs. Following Trends – What’s a True Twitter User?

Notably, people are using Twitter more actively. For the purpose of this exercise, we define a True Twitter User as someone who has three main attributes:

1. Has at least (≥) 10 followers
2. Follows at least (≥) 10 people
3. Has tweeted at least (≥) 10 times

Interestingly, our study shows that only 21 percent of Twitter users fall within our definition parameters and are True Twitter Users.

What do we mean by “more active” on Twitter? Essentially, this means that:

• Users are following more user accounts
• Users are being followed back by more user accounts and more often
• Users are tweeting more.

Today, only 17 percent of Twitter users have zero followers, which is a 40 percent increase in the number of users that now have “more” followers (i.e. ≥ 10 followers) when compared to 30 percent in June 2009.

Our analysis also found:

• 26 percent of users now have at least (≥) 10 followers, showing a 30 percent increase since June when only 20 percent of users had at least (≥) 10 followers.
• 40 percent of users are following at least (≥) 10 user accounts, showing an 18 percent increase since June.
• 27 percent of users have tweeted 10 times or more, showing a 29 percent increase since June.

Additionally, today there is a trend toward users actually using Twitter as a two-way communication tool versus as an RSS feed or “information fire hose.”  In fact, 36 percent of Twitter users today have more followers than the accounts they are following, showing an 80 percent increase since June when that number was only 20 percent.

Twitter Users More Active

Not only are people becoming more connected on Twitter, they also are becoming more active:

• 27 percent of users have tweeted at least (≥) 10 times, which is a 29 percent increase since June.
• Moreover, today there are 34 percent of users who have not tweeted since they created an account. While that still seems like a fairly high percentage of inactive accounts, it shows an eight percent decrease (down from 37 percent) since June 2009, demonstrating that people are becoming more active.

What’s even more interesting is that the most active users on Twitter are not the ones with the most followers.

• Users with an average of 1,000 followers actually tweet the most, as compared to those with fewer than 100 followers or more than 100,000 followers.

TWITTER GROWTH & THE TWITTER RED CARPET ERA

Further, some remarkable trends emerge as we review how Twitter’s growth has taken shape. Based on when a member joined Twitter, we plotted a Twitter growth chart. This chart illustrates a very concentrated growth spurt during the early part of 2009 – a time period which we define as the “Twitter Red Carpet Era.”

The Twitter Red Carpet Era falls between November 2008 and April 2009. This is the period of time during which a handful of ‘celebrities’ – including 27 of the top 50 and 48 of the top 100 most followed Twitter users – joined.

• In the beginning of 2008, Twitter was growing approximately 0.31 percent per month. By November 2008, that growth increased to 1.95 percent per month.
• After December 2008, Twitter’s growth exploded from nearly two percent per month, and rising to approximately three-to-four percent per month, before finally peaking at nearly 20 percent per month in April 2009.
• At the end of the “Twitter Red Carpet Era,” growth appears to have normalized, dropping back to 0.34 percent by December 2009.

The following graph illustrates the Twitter Red Carpet Era and the significant impact that these celebrities had on Twitter’s growth as they brought their fan bases with them from the real world to Twitter.

TWITTER CRIME RATE

As millions of users flocked to Twitter during the Twitter Red Carpet Era, so too did the criminals. During this time, numerous accounts were used for malicious purposes such as poisoning trending topic threads with malicious URLs (hidden by the ever popular URL shortening services) aimed at luring Twitter users to sites carrying malware or other malicious content.

The Twitter Crime Rate is defined as the percentage of accounts created per month that are eventually suspended for malicious or suspicious activity, or otherwise misused.

• In 2006, the Twitter Crime Rate was only 1.2 percent.
• By 2007, the Twitter Crime Rate increased slightly to 1.7 percent.
• In 2008, the Twitter Crime Rate averaged around 2.2 percent.

During the Twitter Red Carpet Era, the Twitter Crime Rate increased from 2.02 percent to 3.36 percent, showing a 66 percent increase in the overall Twitter Crime Rate.

As more users joined Twitter in 2009, the Twitter Crime Rate continued to escalate reaching 12 percent     in October 2009. This means that one in eight accounts created was deemed to be malicious, suspicious or otherwise misused and was subsequently suspended – clearly showing that the criminals do, in fact, follow the users online.

Twitter’s proactive response to keep its users’ social networking experience safe is admirable; however, it remains unclear how efficient Twitter is in detecting a malicious account.

Why should you care about how Twitter is used?

At Barracuda Labs, we’re constantly monitoring the Web ecosystem and tracking new trends in malware and other attacks.  Social networking platforms like Twitter and Facebook provide a perfect opportunity for attackers to find their victims, leveraging what users assume to be a “safe” environment. This is evident through the Twitter Crime Rate mentioned above. Attackers employ various techniques to build up their follower list, poison trending topic threads, or initiate other campaigns which can increase the visibility of their tweets, and therefore draw users in to suspicious sites, malicious downloads or other malevolent activity. As social networks continue to gain momentum – and millions of users – there is no doubt that criminals will look to create more sophisticated and serious social engineering attacks against unsuspecting users.

For a deeper dive into these social networking, Web and email attacks, download the Barracuda Labs Annual Report or feel free to drop us a line in the comments section below. We look forward to working with you to solve these problems and make the Web a safer place for corporate and casual users. Meanwhile, be sure to think twice before following someone you don’t know and check out their user profile at TweetGrade.com.